Election Cybersecurity: Preparing for the 2020 U.S. Elections.
At Cloudflare, our mission is to help build a better Internet. As we look to the upcoming 2020 U.S. elections, we are reminded that having the Internet be trusted, secure, reliable, and accessible for campaigns and citizens alike is critical to our democracy. We rely on the Internet to share and discover pertinent information such as how to register to vote, find polling locations, or learn more about candidates.
Due to the spread of COVID-19, we are seeing a number of election environments shift online, to varying degrees, with political parties conducting virtual fundraisers, campaigns moving town halls to online platforms and election officials using online forms to facilitate voting by mail. As the 2020 U.S. elections approach, we want to ensure that players in the election space have the tools they need to stay online to promote trust and confidence in the democratic system.
We’re keeping an eye on how this shift to online activities affect cyberattacks. From April to June 2020, for example, we saw a trend of increasing DDoS attacks, with double the amount of L3/4 attacks observed over our network compared to the first three months of 2020. In the election space, we are tracking trends and vulnerabilities to better understand the threats against these critical players. Our goal is to use the information to create best practices for election and campaign officials so they can be better prepared for the upcoming elections.
- When comparing types of attacks against campaigns and government election sites, we saw the exact inverse type of attacks with political campaigns experiencing more DDoS attacks while government sites experiencing more attempts to exploit security vulnerabilities.
- On average, state and local government election sites experience 122,475 cyber threats per day with an average of 199 SQL injection attempts per day.
- On average, political campaigns experience 4,949 cyber threats per day, although larger campaigns may see far more.
Project Athenian & Cloudflare for Campaigns Participants
Since 2020, the number of domains under Project Athenian has increased by 48 percent, to 229 state and local government election websites in 28 states receiving our security protections. Cloudflare also protects many political campaigns at all levels on a wide range of plans. Under Cloudflare for Campaigns, an initiative we launched in January 2020 to provide a free package of security protections to political campaigns with our partnership with Defending Digital Campaigns, we protect more than 50 political campaigns from candidates in 27 states.
Significant traffic spikes and probing for vulnerabilities to government election websites
For state and local governments, election night and the days leading up that day are typically the most important days of the year. With constituents accessing voter information such as voting and polling stations, election officials expect higher amounts of traffic to their website. Over the last few months, we’ve seen this shift at Cloudflare, with noticeable increases in traffic ranging from 2 to 3 times the volume of requests to many of these government election websites. We believe there are a wide range of factors for traffic spikes including, but not limited to, states expanding vote-by-mail initiatives and voter registration deadlines due to emergency orders by 53 states and territories throughout the United States. In March, more than 23 states conducted presidential primaries including 14 states on Super Tuesday, the most states on a single day to host primary elections.
At this year’s DEF CON Voting Village, experts from the Department of Homeland Security identified routine failure due to abnormally high demand as the largest risk to election systems because of the coronavirus pandemic. We have seen this in full effect, with traffic to election websites being unpredictable, and including unexplained spikes outside of election cycles, per the graph below.
To help state and local governments under Project Athenian prepare for elections, we wanted to identify the types of threats that election websites face and how to better protect their website from malicious attacks. Since the beginning of this year, we’ve seen a large number of attempts to exploit security vulnerabilities that were mitigated by the web application firewall (WAF), with 90 million threats blocked in March 2020, for example. Cloudflare’s WAF uses managed rulesets to offer a wide range of protection against known vulnerabilities and suspicious behavior and custom firewall rules to allow users to rapidly identify and adapt to the evolving threat landscape. Of the threats we identified, managed rulesets helped mitigate 51% of threats and custom firewall rules mitigated an additional 35% of threats. Having both managed rulesets and custom firewall rules therefore helps safeguard election information.
In previous elections, attackers have used SQL injections against government election websites to attempt to extract information. We therefore did a deeper dive on those types of attacks, to understand if these threats are being conducted leading up to the 2020 election. We identified a number of SQL injection threats that were blocked by Cloudflare, with an average of 43,884 attempts per day across all domains under Project Athenian. SQL injection attacks are commonly attempted against government election sites, with the WAF blocking an average of 199 SQL injection threats per day.
Political Campaigns have experienced more DDoS attacks
When looking at the ecosystem of election security, political campaigns can be soft targets for cyberattacks due to the inability to dedicate resources to sophisticated cybersecurity protections. Campaigns are typically short-term, cash strapped operations that do not have an IT staff or budget necessary to promote long term security strategies.
To gain a better understanding of the threats around political campaigns, we surveyed 80 U.S. federal political campaigns on a range of Cloudflare plans from Cloudflare for Campaigns to our self serve plans. Cloudflare has mitigated a total of 77,192,840 threats on these sites since January 2020. That means that, on average, these sites saw 4,949 threats per day from January 2020 to present. In general, we see larger scale attacks against Senate candidate’s sites than those of House candidates.
As the election season has progressed, we’ve also seen an increase in the average number of attacks against political campaigns, with a 187% increase from May to June 2020. As face to face campaigning is not an option, campaigns now rely on online platforms such as video conferencing software, online fundraising and social media to reach voters. This can present significant cybersecurity challenges to already vulnerable groups, such as political campaigns. Political campaigns are realizing the importance of cybersecurity services and have begun working with state parties and committees on training on the types of cyber threats and widely available resources for campaigns. With basic cybersecurity hygiene training on issues such as password security, two factor authentication, identifying phishing scams, network protection, internal application security and social media privacy, campaign staff are less likely to be the victims of a data breach.
There has been a notable amount of DDoS activity against political campaign websites. DDoS attacks, which can be cheap, easy to organize and highly destructive, are often used for targeting political campaigns. A DDoS attack that takes down a campaign’s website during critical times can severely disadvantage a website. Campaigns used rate limiting to address 63% of the cyber threats they experienced, suggesting that DDoS attacks remain a significant concern.
Securing Elections in 2020
Democracies rely on access to information and trust in government institutions, especially during a crisis. Reflecting this reality, elections officials are more aware and focused on reliability and resilience than ever before. Likewise, political campaigns are increasingly aware of the potential risks of DDoS activity and other cyber threats.
As COVID-19 continues to spread, it puts further pressure on ensuring that the Internet can be used to access and share election information. At Cloudflare, we believe that expanding access to tools that election officials and political candidates need to combat a range of online threats both serves our mission to help build a better Internet and strengthens our democracy.